Jul 1, 2018
Using SSL with Canvas
Create your own keystore and SSL certificate
- Open a Command Line Window using Run As Administrator
- Use the cd command to change the directory to the conf directory where Canvas is installed:
cd C:CWASconf
- Create your own keystore and generate a Certificate Signing Request:
..jrebinkeytool -genkey -alias tomcat -keyalg RSA -keystore canvas.keystore -keysize 2048
- Enter a password and write it down so you can use it later:
Enter keystore password:
- Enter the details for the certificate:
- First and last name (Common Name (CN)): Enter the domain of you are going to use for Canvas (i.e. canvas.mycompany.org) in the “first- and lastname” field.. It looks like “www.company.com” or “company.com”. NOTE: The Common Name above must match the URL people are going to use to access Canvas
- Organizational Unit (OU): This field is optional; but can be used to help identify certificates registered to an organization, i.e. the name of the department making the request.
- Organization (O): If your company or department, exclude any special characters such as & or @ from the name.
- Locality or City (L): The locality field is the city or town name, for example: New York.
- State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: Florida
- Country Name (C): Use the two-letter code for the country, for example: US, AU, UK, etc.
- Confirm that the details are correct, type ‘y’ and press <Enter>:
Is CN=demo.cubewise.com, OU=Unknown, O=Cubewise, L=North Sydney, ST=New South Wales, C=AU correct?
[no]: y - Press <Enter> and use the same password as entered in Step 4
Enter key password for <canvas>
(RETURN if same as keystore password): [Enter] - Generate a Certificate Signing Request (CSR) to be used by a certificate Authority (Symantec, Thawte, DigiCert, GeoTrust, Go Daddy, etc)
..jrebinkeytool -certreq -alias tomcat -file canvas.csr -keystore canvas.keystore
- Enter the password your created in step 4:
Enter keystore password:
- Follow the steps of your Certificate Authority to purchase a new certificate using the canvas.csr file that was created in the previous step.
NOTE: The canvas.csr file will be in the conf directory where Canvas is installed
- At this point you should make a copy of the canvas.keystore file so you have a backup if you encounter problems when importing certificates
Import Your X.509 Certificate into the Key Store
- Open a Command Line Window using Run As Administrator
- Use the cd command to change the directory to the conf directory where Canvas is installed
cd C:CWASconf
- First import any root/intermediate certificate(s) as instructed by your Certificate Authority, these need to be imported BEFORE your certificate is imported:
- Save any root/intermediate certificates to the conf directory, i.e. root.cer
- Execute, replacing -alias and -file options for each certificate:
..jrebinkeytool -import -trustcacerts -alias root -keystore canvas.keystore -file root.cer
- Enter the password from above and press enter
- Import your actual certificate into the key store:
- Save the certificate to the conf directory, i.e. canvas.cer.
- Execute, the alias needs to be canvas:
..jrebinkeytool -import -trustcacerts -alias tomcat -keystore canvas.keystore -file canvas.cer
- Enter the password from above and press enter
- If you get: Certificate reply was installed in keystore. The certificate has been successfully installed in the keystore
If you receive this error, keytool error: java.lang.Exception: Failed to establish chain from reply, you need to install the appropriate intermediate certificates
Update the Connector Settings for the New Key Store
- Open conf/server.xml (in the Canvas install directory)
You will need to add the following code between <Service and <Engine section:
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --> <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="C:/CWAS/conf/canvas.keystore" keystorePass="password" clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json" compression="on" compressionMinSize="2048" />
You can choose a different port number, in this example we are using 8443.
The server.xml file should look like this:
Finally restart the Cubewise Application Server service and you should now be able to access Canvas through the new port in this example 8443:
- https://localhost:8443/samples